From owner-freebsd-pf@FreeBSD.ORG  Tue Jun 23 07:50:09 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@nevdull.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6ED74FE7
 for <freebsd-pf@nevdull.freebsd.org>; Tue, 23 Jun 2015 07:50:09 +0000 (UTC)
 (envelope-from ian.freislich@capeaugusta.com)
Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 01860BF9
 for <freebsd-pf@freebsd.org>; Tue, 23 Jun 2015 07:50:08 +0000 (UTC)
 (envelope-from ian.freislich@capeaugusta.com)
Received: by wgck11 with SMTP id k11so1965115wgc.0
 for <freebsd-pf@freebsd.org>; Tue, 23 Jun 2015 00:50:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:in-reply-to:references
 :mime-version:content-type:content-id:content-transfer-encoding:date
 :message-id;
 bh=LuF0ROSMtuLLzHJpd7+H6Bw7XSlvnFGS8Axnmh0LjqU=;
 b=lTp0zsH/VWyuhWb51aZzP7WcWOgeFND8KsM0yIcJGRmOpp65LER89Y080bBixRE9JK
 5h1cnNU3GuvcwuxK9mc3sUR9c3qbngqCdhRJtdzpAlH87N2nbuTDeVQJ/tSPsh/q0BsJ
 a2JeWieFH9zUZxnEd5cDZyyzfd3p+YhdUxs1iW/hmNPTshASvILBpYlVOmW/aNb7mA7K
 xcbmNReIfGLaiJOu5YOQSBk0lzk800Yq6nfFBUY7BPGup8qP51fYGNCPHqvfGc6vj2tv
 T4JwfTrG/iuEQH/7TNkzDC9FhfOoKmhvFIMrffROmxgxmmHPle1WfqtLMDKBJ+duIZV2
 LX5A==
X-Gm-Message-State: ALoCoQkpajmNNS+u9xS8aLsp0D3TfrPGJ2ZhF0GB5e0d14eYqGZFI/P2EE4eYNrgPlmqJ+V/AYZS
X-Received: by 10.180.91.76 with SMTP id cc12mr890995wib.67.1435045801485;
 Tue, 23 Jun 2015 00:50:01 -0700 (PDT)
Received: from clue.co.za ([197.89.156.54])
 by mx.google.com with ESMTPSA id ul1sm34292806wjc.30.2015.06.23.00.49.59
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 23 Jun 2015 00:50:00 -0700 (PDT)
From: Ian FREISLICH <ian.freislich@capeaugusta.com>
X-Google-Original-From: Ian FREISLICH <ianf@capeaugusta.com>
Received: from localhost ([127.0.0.1] helo=zen)
 by clue.co.za with esmtp (Exim 4.85 (FreeBSD))
 (envelope-from <ianf@capeaugusta.com>)
 id 1Z7Ixx-0006K1-5p; Tue, 23 Jun 2015 03:49:57 -0400
To: Milan Obuch <freebsd-pf@dino.sk>
cc: freebsd-pf@freebsd.org
Subject: Re: Large scale NAT with PF - some weird problem
In-Reply-To: <20150623073856.334ebd61@zeta.dino.sk>
References: <20150623073856.334ebd61@zeta.dino.sk>
 <20150621133236.75a4d86d@zeta.dino.sk> <20150620182432.62797ec5@zeta.dino.sk>
 <20150619091857.304b707b@zeta.dino.sk>
 <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com>
 <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za>
 <20150621195753.7b162633@zeta.dino.sk>
X-Attribution: BOFH
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <24303.1435045797.1@zen>
Content-Transfer-Encoding: quoted-printable
Date: Tue, 23 Jun 2015 09:49:57 +0200
Message-Id: <E1Z7Ixx-0006K1-5p@clue.co.za>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 07:50:09 -0000

Milan Obuch wrote:
> As a first step, I did small upgrade, so now I run FreeBSD 9.3-STABLE
> #0 r284695: Mon Jun 22 08:55:29 CEST 2015.
> =

> I still see the issue, but I found simpler workaround when bad state
> ocurs - using
> =

> pfctl -k <ip.of.affected.client>
> pfctl -K <ip.of.affected.client>
> =

> in this order seems to remedy the issue for this one affected client
> without affecting other clients. This still does not solve the problem,
> just eases the reaction.

How is your NAT rule defined?  I had a closer look at the way I did it:

nat on vlan46 from 10.8.0.0/15 to !<on-our-net> -> xx.xx.xx.xx/24 round-ro=
bin sticky-address

I think you may be missing the "round-robin" that spreads the mapping
over your pool.  The manual says that when more than 1 address is
specified, round-robin is the only pool type allowed, it does not
say that when more than 1 address is specified this is the default
pool option.

You can check your state table to see if it is indeed round-robin.

#pfctl -s sta |grep " ("
...
all tcp a.b.c.d:53802 (10.0.0.220:42808) -> 41.246.55.66:24       ESTABLIS=
HED:ESTABLISHED
all tcp a.b.c.e:60794 (10.0.0.38:47825) -> 216.58.223.10:443       ESTABLI=
SHED:FIN_WAIT_2

If all your addresses "a.b.c.X" are the same, it's not round-robin
and that's your problem.

Ian

-- =

Ian Freislich